http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html
Personal Data for Law Enforcement, Security Professionals
Exposed
By Brian Krebs
washingtonpost.com Staff Writer
Monday, December 19, 2005; 5:33 PM
Guidance Software -- the leading provider of software used
to diagnose hacker break-ins -- has itself been hacked, resulting in the
exposure of financial and personal data connected to thousands of law
enforcement officials and network-security professionals.
Guidance alerted customers to the incident in a letter sent
last week, saying it discovered on Dec. 7 that hackers had broken into a
company database and made off with approximately 3,800 customer credit card
numbers. The Pasadena, Calif.-based
company said the incident occurred sometime in November and that it is working
with the U.S. Secret Service on a more detailed investigation.
Michael G. Kessler, president of New York City-based
computer-forensics investigative firm Kessler International, received a letter
notifying him that the company's American Express card was among those
compromised by the attackers. Kessler received the notice from Guidance at the
same time that a company credit-bill arrived with what he said were $20,000 in
unauthorized charges for pay-per-click advertising at Google.com.
"I just got our American Express bill and nearly fell
out of my chair," Kessler said. "You'd think Guidance would be the
last company this kind of thing would happen to."
Guidance's EnCase software is used by hundreds of security
researchers and law enforcement agencies worldwide, including the U.S. Secret
Service, the FBI and New York City police. John Colbert, the company's chief
executive officer, said Guidance alerted all of its customers less than two days
after discovering the break-in, and that it would no longer store customer
credit card data.
"This certainly highlights the fact that intrusions can
happen to anybody and that nobody should be complacent about security," he
said. Colbert declined to discuss further details of the attack, citing the
ongoing investigation.
Guidance stored customer records in unencrypted databases,
and indefinitely retained customers' "card value verification" (CVV)
numbers, the three-digit codes on the back of credit cards that are meant to
protect against fraud in online and telephone sales, according to Colbert and
the notification letter sent to customers.
Merchant guidelines published by both Visa and Mastercard
require sellers to encrypt customer credit-card databases. They are also
prohibited from retaining CVV numbers for any longer than it takes to verify a
given transaction.
Companies that violate those standards can be fined $500,000
per violation. Credit card issuers
generally levee such fines against the bank that processes payment transactions
for the merchant that commits the violations.
The fines usually are passed on to the offending company.
Secret Service and FBI customers were among those whose
information was included in the hacked database, Colbert said, but he declined
to say whether credit card information belonging to those agencies was
compromised. Secret Service spokesman
Eric Zahren would only confirm that the agency is investigating the break-in.
FBI officials could not be immediately reached for comment.
Kessler said several of his company's employees also
received notices. Among the items Guidance said were taken by hackers were
company employee's names, addresses, telephone numbers, credit card numbers,
card expiration dates and card verification numbers.
Another security professional who got the notification
letter said he was surprised that the company did not detect the intrusion for
nearly two weeks, a lapse in time that could make it much more difficult to
catch the perpetrators.
"Unfortunately, most cyber crimes require being worked
very quickly in order to gather data before it is purged either by attackers or
just in the normal course of business," said Doug Rehman, president of
Rehman Technology Services in Mount Dora, Fla., who learned that his credit
card and personal data had been exposed.
"Hopefully this incident will be a call for our
community to wake up, particularly the vendors who ought to be among the
forefront of in dealing with security issues," Rehman said.
The intrusion at Guidance caps a year marked by an
unprecedented number of disclosures about hacker break-ins at major
corporations that hold customer data. Many of those attacks targeted law
enforcement entities indirectly or directly. In March, data aggregator LexisNexis
acknowledged that hackers had illegally accessed information on more than
310,000 consumers, an attack that was later determined to have been launched
after hackers broke into computers used by at least two separate police
departments.
Last week, investigators at CardCops.com found that a
digital intrusion at a company that manufactures police name badges had
compromised the personal information and credit card accounts belonging to
dozens of police departments and officers.
Krebs is a reporter for washingtonpost.com.
© 2005 Washingtonpost.Newsweek Interactive
FAIR USE NOTICE
This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of political, democracy, scientific, and social justice issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.